wshrat | 76ba79480eb105609ad6add997a2c26a1c27e7c0eb97760f49dc8545d8f1a7d0 | Triage

Sharing

General

Target

ORDER-023816.pdf.vbs
Size

9KB
Sample

230817-wtrjkabg66
MD5

50615b36f7a22881d8cc2938257d8064
SHA1

836cb5b89aed1b189c2d4d3c33371c29c1a406b7
SHA256

76ba79480eb105609ad6add997a2c26a1c27e7c0eb97760f49dc8545d8f1a7d0
SHA512

a7eb15724e977cd4151e4dd74a9590009f655661028e93222b933b0d121e604c7cee82ba554b09d9276cc90e8d5abb6612a3deaf7a6e79b9b6c3a1897f4549bf
SSDEEP

48:KDE9y43sbbf4KkgGewDE9y48bdZFy4KkgGewDE9y483sZzz4KkgGew8Zb43sbbfy:US1+uFR4e1e11qLPfo11qMMcOP7

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  ORDER-023816.pdf.vbs
- Size
  
  9KB
- MD5
  
  50615b36f7a22881d8cc2938257d8064
- SHA1
  
  836cb5b89aed1b189c2d4d3c33371c29c1a406b7
- SHA256
  
  76ba79480eb105609ad6add997a2c26a1c27e7c0eb97760f49dc8545d8f1a7d0
- SHA512
  
  a7eb15724e977cd4151e4dd74a9590009f655661028e93222b933b0d121e604c7cee82ba554b09d9276cc90e8d5abb6612a3deaf7a6e79b9b6c3a1897f4549bf
- SSDEEP
  
  48:KDE9y43sbbf4KkgGewDE9y48bdZFy4KkgGewDE9y483sZzz4KkgGew8Zb43sbbfy:US1+uFR4e1e11qLPfo11qMMcOP7
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

wshratpersistencetrojan